Monday, October 7, 2024
HomeCyber Security NewsHackers Started using Python for Developing New Ransomware

Hackers Started using Python for Developing New Ransomware

Published on

Ransomware has been one of the top threats to organizations, contributing several millions of dollars to multiple organizations worldwide.

Most of these ransomware operators infiltrate the systems, steal sensitive data, and lock the systems with ransomware.

There have been a variety of ransomware activities in the past, such as WannaCry, GandCrab, and many others.

- Advertisement - EHA

Most of the ransomware operators use custom-written ransomware for their operations. However, there has been a rise in Python-based ransomware variants in recent years.

Document
Run Free ThreatScan on Your Mailbox

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .

New Python Ransomware

According to the K7 labs report, a recent ransomware sample was found and investigated. It turned out to be written in Python, which is not common. The ransomware binary was checked in VirusTotal and was detected by 47 antivirus providers.

Virustotal Analysis (Source: K7 Security Labs)
Virustotal Analysis (Source: K7 Security Labs)

The malicious file was found to be an executable file compiled in C++. Moreover, the executable file had a PDF icon as a means of disguising its original extension. To further investigate, the malicious PDF file was extracted with pyinstxtractor. Further analysis revealed the main source code file under the name “grinchv3.pyc”.

PDF and pyinstxtractor (Source: K7 Security Labs)
PDF and pyinstxtractor (Source: K7 Security Labs)

Behavioral Analysis

The script was written with several lines of code under a single class named “sweet.” The __init__ function of the class gathers additional information and performs the following functions.

  • Fetches the current user of the victim machine
  • Drive partition scanning (A:\ to Z:\ is scanned)
  • Determining the Type of files to encrypt

Moreover, the encryption is started only after adding the unlock notes under the name “UNLOCK MY FILES.txt” on all the file paths that are about to be encrypted. For encryption, the Fernet Python cryptography module was used. After encrypting, a pop-up message is configured to be shown to the user.

All the encrypted files are under the extension “.enc” and remain unreadable after the ransomware encrypts them. Furthermore, the ransom notes include the email address of the attacker to contact for decryption.

Ransom Note (Source: K7 Security Labs)
Ransom Note (Source: K7 Security Labs)

K7 Security Labs has published a complete report about this new Python ransomware variant. It provides detailed information about this new Python-based ransomware source code, encryption methodology, and experimental and behavioral analysis.

Indicators of Compromise

HashDetection Name
C967B8198501E3CE3A0E323B37D94D15Trojan ( 005af6051 )
Eswar
Eswar
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Hybrid Analysis Utilizes Criminal IP’s Robust Domain Data for Better Malware Detection

Criminal IP, a renowned Cyber Threat Intelligence (CTI) search engine developed by AI SPERA,...

RCE Vulnerability (CVE-2024-30052) Allow Attackers To Exploit Visual Studio via Dump Files

The researcher investigated the potential security risks associated with debugging dump files in Visual...

Cacti Network Monitoring Tool Vulnerability Let Attackers Execute Remote Code

A critical security vulnerability has been identified in the Cacti network monitoring tool that...

Microsoft & DOJ Dismantles Hundreds of Websites Used by Russian Hackers

Microsoft and the U.S. Department of Justice (DOJ) have disrupted the operations of Star...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Hybrid Analysis Utilizes Criminal IP’s Robust Domain Data for Better Malware Detection

Criminal IP, a renowned Cyber Threat Intelligence (CTI) search engine developed by AI SPERA,...

RCE Vulnerability (CVE-2024-30052) Allow Attackers To Exploit Visual Studio via Dump Files

The researcher investigated the potential security risks associated with debugging dump files in Visual...

Cacti Network Monitoring Tool Vulnerability Let Attackers Execute Remote Code

A critical security vulnerability has been identified in the Cacti network monitoring tool that...